Attacks Discovered that can Corrupt MLC-based SSD Data

R-T-B · May 25, 2017

It appears that although MLC NAND-based SSDs have many advantages to HDD's from a physical-reliability point of view, the old spinning rust drives might still have one advantage over SSDs: A specially crafted write operation can't corrupt your data.

That's what a new report from Carnegie Mellon University, Seagate, and ETH Zürich is showing: That MLC-based SSD Drives are vulnerable to data-corrupting attacks as simple as a specially crafted write operation.

The first attack is compared to a "row hammer" attack, in which thrashing the drive with read or write operations along the border of a cell can corrupt legitimate data in nearby cells. Most attacks operate in variations of this principle, but some also rely on techniques such as special sequences of operations that will cause cached data and pages to be lost, effectively ruining your precious file the SSD was waiting to write to its media.

HDDs for their part, are not completely data safe even when they are operating correctly. They have a UBER (unrecoverable bit error rate) rating that indicates how often the HDD will make a (mostly random) mistake reading its data from the platter. This phenomenon (often referred to as "bit-rot") is not common in a correctly functioning HDD, but it does happen. The difference is it's not directly triggerable by a specially crafted write: Bit-rot errors are more or less random. Needless to say, the potential for malware to utilize this trigger-able corruption on your SSD is not a good thought at all.

If you want the technical details, they are available in the source link. For now, all you need to know is pretty much all SSDs are vulnerable to what was discovered here, but no exploits are live yet and due to there being no money in just wrecking your stuff (as opposed to say, ransoming it), there probably won't be a significant amount of malware featuring this exploit. Just practice good data hygiene as per usual and chances are all will be well. We don't mean to chase you back to HDD land just yet.

Oh, and one final caveat: SLC SSDs are immune, but good luck finding one that isn't outrageously expensive.

View at TechPowerUp Main Site

Solaris17 · May 25, 2017

Not as easy but just as interesting.

http://spritesmods.com/?art=hddhack

bit of light reading.

silentbogo · May 25, 2017

R-T-B said:
A specially crafted write operation can't corrupt your data.

can?

R-T-B · May 25, 2017

silentbogo said:
can?

Uh, maybe. I was unaware of any HDD-based attacks when I wrote this short of sanitize commands, but @Solaris17 has an interesting article there that might beg to differ.

EDIT: Ah, I see what I did. I'm saying that's an advantage HDDs hold over SSDs, but honestly it could have been worded more clearly. The article Solaris linked while interesting, maintains that status quo.

lexluthermiester · May 26, 2017

Having read the details of this problem[ https://people.inf.ethz.ch/omutlu/pub/flash-memory-programming-vulnerabilities_hpca17.pdf ] I can't help but ask if this is something easy to pull off.

First, you need to create code that can directly access the SSD controller as most OS's disallow such access by default. Second, you need the code for interfacing with the SSD controller of target, not easy as there are literally 1000's of different controllers out there. Third, you would need to write your code for the host OS[generally]. Fourth, you need to engineer an injection method to the host system. Any code that matches these characteristics is going to be flagged by any competent AntiMalware/AntiVirus. This would be near impossible to pull off unless you had direct physical access to the system you want to affect.

silentbogo · May 26, 2017

R-T-B said:
Uh, maybe. I was unaware of any HDD-based attacks when I wrote this short of sanitize commands, but @Solaris17 has an interesting article there that might beg to differ.

EDIT: Ah, I see what I did. I'm saying that's an advantage HDDs hold over SSDs, but honestly it could have been worded more clearly. The article Solaris linked while interesting, maintains that status quo.

Just move it to the same paragraph as the rest of the sentence - it will make more sense.
Seeing this line separately completely threw my brain off balance.

PowerPC · May 26, 2017

And all this doesn't apply to TLC-NAND drives?

R-T-B · May 26, 2017

PowerPC said:
And all this doesn't apply to TLC-NAND drives?

Hard to say. Some reports I've read say it does, some say it does not. Admittedly it's a bit too over my head to tell you either way.

lexluthermiester said:
Having read the details of this problem[ https://people.inf.ethz.ch/omutlu/pub/flash-memory-programming-vulnerabilities_hpca17.pdf ] I can't help but ask if this is something easy to pull off.

First, you need to create code that can directly access the SSD controller as most OS's disallow such access by default. Second, you need the code for interfacing with the SSD controller of target, not easy as there are literally 1000's of different controllers out there. Third, you would need to write your code for the host OS[generally]. Fourth, you need to engineer an injection method to the host system. Any code that matches these characteristics is going to be flagged by any competent AntiMalware/AntiVirus. This would be near impossible to pull off unless you had direct physical access to the system you want to affect.

Thanks for the insight. Yes I read it but a lot of the low level logistics of it go over my head. Your insight here is appreciated. I'm way too used to thinking of storage as just a logical block device.

lexluthermiester · May 26, 2017

PowerPC said:
And all this doesn't apply to TLC-NAND drives?

As the information is presented, no. TLC is accessed a different way. Same for SLC. This problem seems exclusive to MLC. And it's going to be corrected in firmware updates as well.

lexluthermiester · May 26, 2017

R-T-B said:
Thanks for the insight. Yes I read it but a lot of the low level logistics of it go over my head. Your insight here is appreciated. I'm way too used to thinking of storage as just a logical block device.

Same here, which is what motivated the deeper read. Generally, it is difficult to target a device within a system. So while this vulnerability exists and CAN be attacked, it would take a serious effort. This is not likely to turn into a problem.. But it is good to be aware of.

ypsylon · May 27, 2017

This is nothing really ground breaking. Any kind of electronic can be compromised in such way, its just matter of determination and resources. Fortunately it would require physical access to the system in question and plenty of time to do the shenanigans without risk of getting caught.

If somebody is terrified then winning the lottery comes with same odds as this ^ one.

System Name	Pioneer
Processor	Ryzen R9 7950X
Motherboard	GIGABYTE Aorus Elite X670 AX
Cooling	Noctua NH-D15 + A whole lotta Sunon and Corsair Maglev blower fans...
Memory	64GB (4x 16GB) G.Skill Flare X5 @ DDR5-6000 CL30
Video Card(s)	XFX RX 7900 XTX Speedster Merc 310
Storage	2x Crucial P5 Plus 2TB PCIe 4.0 NVMe SSDs
Display(s)	55" LG 55" B9 OLED 4K Display
Case	Thermaltake Core X31
Audio Device(s)	TOSLINK->Schiit Modi MB->Asgard 2 DAC Amp->AKG Pro K712 Headphones or HDMI->B9 OLED
Power Supply	FSP Hydro Ti Pro 850W
Mouse	Logitech G305 Lightspeed Wireless
Keyboard	WASD Code v3 with Cherry Green keyswitches + PBT DS keycaps
Software	Gentoo Linux x64

System Name	Rocinante
Processor	I9 14900KS
Motherboard	EVGA z690 Dark KINGPIN (modded BIOS)
Cooling	EK-AIO Elite 360 D-RGB
Memory	64GB Gskill Trident Z5 DDR5 6000 @6400
Video Card(s)	MSI SUPRIM Liquid X 4090
Storage	1x 500GB 980 Pro \| 1x 1TB 980 Pro \| 1x 8TB Corsair MP400
Display(s)	Odyssey OLED G9 G95SC
Case	Lian Li o11 Evo Dynamic White
Audio Device(s)	Moondrop S8's on Schiit Hel 2e
Power Supply	Bequiet! Power Pro 12 1500w
Mouse	Lamzu Atlantis mini (White)
Keyboard	Monsgeek M3 Lavender, Akko Crystal Blues
VR HMD	Quest 3
Software	Windows 11
Benchmark Scores	I dont have time for that.

System Name	WS#1337
Processor	Ryzen 7 3800X
Motherboard	ASUS X570-PLUS TUF Gaming
Cooling	Xigmatek Scylla 240mm AIO
Memory	4x8GB Samsung DDR4 ECC UDIMM
Video Card(s)	Inno3D RTX 3070 Ti iChill
Storage	ADATA Legend 2TB + ADATA SX8200 Pro 1TB
Display(s)	Samsung U24E590D (4K/UHD)
Case	ghetto CM Cosmos RC-1000
Audio Device(s)	ALC1220
Power Supply	SeaSonic SSR-550FX (80+ GOLD)
Mouse	Logitech G603
Keyboard	Modecom Volcano Blade (Kailh choc LP)
VR HMD	Google dreamview headset(aka fancy cardboard)
Software	Windows 11, Ubuntu 20.04 LTS

System Name	Pioneer
Processor	Ryzen R9 7950X
Motherboard	GIGABYTE Aorus Elite X670 AX
Cooling	Noctua NH-D15 + A whole lotta Sunon and Corsair Maglev blower fans...
Memory	64GB (4x 16GB) G.Skill Flare X5 @ DDR5-6000 CL30
Video Card(s)	XFX RX 7900 XTX Speedster Merc 310
Storage	2x Crucial P5 Plus 2TB PCIe 4.0 NVMe SSDs
Display(s)	55" LG 55" B9 OLED 4K Display
Case	Thermaltake Core X31
Audio Device(s)	TOSLINK->Schiit Modi MB->Asgard 2 DAC Amp->AKG Pro K712 Headphones or HDMI->B9 OLED
Power Supply	FSP Hydro Ti Pro 850W
Mouse	Logitech G305 Lightspeed Wireless
Keyboard	WASD Code v3 with Cherry Green keyswitches + PBT DS keycaps
Software	Gentoo Linux x64

System Name	WS#1337
Processor	Ryzen 7 3800X
Motherboard	ASUS X570-PLUS TUF Gaming
Cooling	Xigmatek Scylla 240mm AIO
Memory	4x8GB Samsung DDR4 ECC UDIMM
Video Card(s)	Inno3D RTX 3070 Ti iChill
Storage	ADATA Legend 2TB + ADATA SX8200 Pro 1TB
Display(s)	Samsung U24E590D (4K/UHD)
Case	ghetto CM Cosmos RC-1000
Audio Device(s)	ALC1220
Power Supply	SeaSonic SSR-550FX (80+ GOLD)
Mouse	Logitech G603
Keyboard	Modecom Volcano Blade (Kailh choc LP)
VR HMD	Google dreamview headset(aka fancy cardboard)
Software	Windows 11, Ubuntu 20.04 LTS

Attacks Discovered that can Corrupt MLC-based SSD Data

R-T-B

Solaris17

Super Dainty Moderator

silentbogo

Moderator

R-T-B

lexluthermiester

silentbogo

Moderator

PowerPC

R-T-B

lexluthermiester

lexluthermiester

ypsylon